InCommon as Infrastructure: How Recommended Practices and Federation Features Help Scale Federated Identity Management Michael R. Gettes, Carnegie Mellon.

Slides:

Advertisements

Similar presentations

© 2012 Open Grid Forum Simplifying Inter-Clouds October 10, 2012 Hyatt Regency Hotel Chicago, Illinois, USA.

Advertisements

CLARIN AAI, Web Services Security Requirements

EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.

Information Resources and Communications University of California, Office of the President UCTrust David Walker Office of the President University of California.

US E-authentication and the Culture of Compliance RL “Bob” Morgan University of Washington CAMP, June 2005.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (

Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State.

Federated Identity for Scientific Collaborations: Policy Issues Jim Basney 2 nd Workshop on Federated Identity Systems for Scientific.

WebFTS as a first WLCG/HEP FIM pilot

REFEDS RESEARCH AND EDUCATION (R&S) ENTITY CATEGORY NICOLE HARRIS.

Presenter’s Name InCommon Approximately 80 members and growing steadily More than two million “users” Most of the major research institutions (MIT joining.

Shibboleth and InCommon Copyright Texas A&M University This work is the intellectual property of the author. Permission is granted for this material.

SWITCHaai Team Federated Identity Management.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

InCommon Forum Fall 2012 Internet2 Member Meeting Wednesday, October 3,

InCommon Michigan State Common Solutions Group, January 2011 Matt Kolb

Cloud Security Myths, Legends and Reality Cloud Security Paul Schopis CTO OARnet Joint Techs.

The InCommon Federation The U.S. Access and Identity Management Federation

Interfederation RL “Bob” Morgan University of Washington and Internet2 Digital ID World 2005 San Francisco.

Single Sign-On Multiple Benefits via Alaska K20 Identity Federation 20 May 2011 BTOP Partner Meeting Anchorage, Alaska 20 May 2011 BTOP Partner Meeting.

Exploring InCommon Getting Started with InCommon: Creating Your Roadmap.

The ReFEDS/GÉANT Code of Conduct (CoC) An Approach to Compliance with the EU Data Protection Directive Steve Carmody April 23, 2012.

SAML Right Here, Right Now Hal Lockhart September 25, 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.

Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.

Stuff, including interfederation stuff Dr Ken Klingenstein, Director, Middleware and Security, Internet2.

Shibboleth as Attribute Delivery for Authorization Renee Shuey Penn State University June 27, 2006.

NSF Middleware Initiative Renee Woodten Frost Assistant Director, Middleware Initiatives Internet2 NSF Middleware Initiative.

Internet2 CAMP Shibboleth Scott Cantor (Hey, that’s my EPPN too.) Tom Dopirak Scott Cantor (Hey, that’s my.

Social Identity Working Group Steve Carmody. Agenda Intro to Using Social Accounts Status and Recent News –Current UT Pilot –Current InCommon Pilot with.

Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science.

Federations 101 John Krienke Internet2 Fall 2006 Internet2 Member Meeting.

Identity Management in Open Science Grid Identity Management in Open Science Grid Challenges, Needs, and Future Directions Mine Altunay OSG Security Officer.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

Internet2 Middleware Initiative Shibboleth Ren é e Shuey Systems Engineer I Academic Services & Emerging Technologies The Pennsylvania State University.

Edugate Glenn Wearen HEAnet.. Summary 1 year Pilot Project / 2 years in production All IoT’s, Universities, Colleges, but only half of HEAnet’s members.

Technical Topics for Deployed Campuses: Web SSO Will Norris University of Southern California.

The InCommon Federation The U.S. Access and Identity Management Federation

Shibboleth Update Eleventh Federal & Higher Education PKI Coordination Meeting (Fed/Ed Thursday, June 16, 2005.

INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.

Growth and Change in Federations and What This Means for Supporting Technologies Nick Roy and Chris Phillips

The UK Access Management Federation John Chapman Project Adviser – Becta.

Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.

Interfederation RL “Bob” Morgan University of Washington and Internet2 Internet2 Member Meeting Chicago, Illinois December 2006.

Identity Management, Federating Identities, and Federations November 21, 2006 Kevin Morooney Jeff Kuhns Renee Shuey.

Brown University Leveraging Social Identities Steve Carmody CSG, May 15, 2013.

Growth. Interfederation PKI is globally scalable Unfortunately, its not locally deployable… Federation is locally deployable Can it.

INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.

NMI-EDIT and Rice University Federated Identity Management: Managing Access to Resources in Texas Barry Ribbeck Director System Architecture and Infrastructure.

Gridshib-intro-dec051 GridShib An Introduction Tom Scavo NCSA.

Federated Identity Fundamentals Ann Harding, SWITCH Cambridge July 2014.

Introduction to Shibboleth Attribute Delivery for Campuses New to Shibboleth Paul Caskey The University of Texas System.

INTRODUCTION TO IDENTITY FEDERATIONS Heather Flanagan, NSRC.

Networks ∙ Services ∙ People Licia Florio TNC, Lisbon Consuming identities across e- Infrastructures 16 June 2015 PDO GÈANT.

Authentication and Authorisation for Research and Collaboration Peter Solagna, Nicolas EGI AAI integration experiences AARC Project.

Shibboleth Roadmap

John O’Keefe Director of Academic Technology & Network Services

e-Infrastructure Workshop 28th March 2006, University of Leeds

The French federation Eurocamp 2007 Helsinki

PASSHE InCommon & Federated Identity Workshop

Shibboleth as Attribute Delivery for Authorization

OIDC Federation for Infrastructures

Certificate Service Survey Summary

LionShare & USHER Title Slide Derek Morr Spring ’06 MM.

The Attribute and the ecosystem

Baseline Expectations for Trust in Federation

Presentation transcript:

InCommon as Infrastructure: How Recommended Practices and Federation Features Help Scale Federated Identity Management Michael R. Gettes, Carnegie Mellon University Renee Shuey, The Pennsylvania State University Internet2 Member Meeting, October 1, 2012

RL “Bob” Morgan

Current/Active Practices and Federation Features Emerging Practices, trends and ideas Future issues

Current/Active Practices Assurance – Bronze/Silver Contracts Attribute Release – Easing integration – Categories Metadata – Timely data – Keys, endpoints & tigers, oh my! eduPerson Schema

Assurance Virginia Tech has achieved Bronze & Silver! Many institutions currently working towards Bronze & Silver If Silver is too soon for you – consider Bronze! POP vs. Bronze

Contracts University of California and University of Texas language at Carnegie Mellon and Penn State specify software interoperability (work with Shib IdP, not just specify SAML) and require joining InCommon. Of course, not everyone joins. Language varies.

Attribute Release Develop a simple default attribute release policy with maximal coverage (CMU policy next slide). InCommon is creating categories of services to help IdP and SP operators determine attribute requirements. – Research & Scholarship Category

Carnegie Mellon Attribute Release

Attribute Release While a security principal is supposed to be just a security principal – with cloud integrations we see more usage of addresses as principals – this is unfortunate. Having eduPersonPrincipalName (ePPN) happen to be a working, reliable address eases cloud integrations Ensuring ePPN to be non-reassigned also eases cloud integrations. Use eduPersonTargetedID where possible.

Metadata Until metadata is no longer distributed via files… Describes all Fed Entities (Identity & Service Providers) Timely metadata update is important! Pay attention to strong keys (2048 keys) in MD Quickly moving to all endpoints via SSL (don’t forget the InCommon Certificate Service!!!) MD is transforming to provide UI hints, error handling & other benefits effecting operations and user experience. GOOD METADATA IS IMPORTANT!

Metadata Growth Fed Software developers and Federation Operators need to begin addressing this problem space. since SMM-2012 IdPs, 14% growth SPs, 13% growth

eduPerson Schema eduPerson started as an LDAP schema but its practicality has exceeded LDAP. Now used as lingua-franca for R&E app integrations. Pay close attention to this schema to aid with attribute release issues and ease application integrations. Consider referencing of eduPerson schema in contracts

Emerging Practices and Tools Repository of software and pointers to tools Federated Error Handling Federated Security Incident Response Delegated Admin for InCommon

Repository InCommon Ops committing to GITHUB soon: – SAML2JSON translator – Smart Web User Agent (smart_get) – SAML Metadata Cert Parser – SAML Entity Probe – SAML2AttributeFilterPolicy XSLT script for R&S Web page coming. Community contributions encouraged.

Federated Error Handling Guidance at 3 sites in R&S already using FEH – (PSU wikispaces, OSU carmenwiki, i2 filesender) Did you know there is FEH service?

FEH Service Example

Federated Security Incident Response See Origins from CIC Id Mgmt Task Force Federated identity introduces new challenges for security incident response. Federation participants should consider the impact of federated identity in their incident response practices and treat federated identity partners impacted by a security incident in a similar manner as they would local parties.

Delegated Admin for InCommon Metadata mgmt needs to scale. DA is critical to make this possible. Distribute the mgmt for MDUI, LoA, descriptive info per SP, Federated Error Handling. Easily allows InCommon as local federation Supports federated access, of course.

CMU – Profile Spring 2011: deployed IdP, begin using InCommon as local federation. Summer 2011: Default attribute release policy Fall 2012: 117 SPs, 2 IdPs. > 75% all authNs now federated. 150 old pubcookie sites to go. Up take was fairly quick. Will decommit pubcookie summer Sept 2012: > 1M SSO events – google analytics

In Summary The more successful is InCommon, the greater the benefit of InCommon to all of us. – Knowing other participants operate well increases the trust among us. – We must express how we operate (metadata) We need to share our methods, tools and policies so we may help/learn from our selves. So why don’t we all put our SPs into InCommon?